At Virgil Security, we know that the word "security" can make a developer's head spin. So we're here to help explain exactly what our tech does and what it means for you, your product and your users.
What is end-to-end encryption?
End-to-end encryption is when only the sender and recipient can read a message. It looks like scrambled letters and numbers to anyone else, including telecom and Internet providers, the frontend and backend servers, and any other third party service you might be using in your stack.
Today, a significant amount of web traffic is encrypted in transit (HTTP with TLS or SSL) and a smaller percentage of data is encrypted at-rest in the database (encrypted by cloud storage provider, and the key is stored in the database).
How is it different from normal encryption?
While a combination of TLS and at-rest encryption is better than nothing, it’s clear that data breaches still happen daily even with these systems in place. It’s because there are gaps along the way where the TLS or at-rest encryption starts and stops, as well as the fact that even with at-rest encryption, the key is stored in the database. This is is akin to storing a housekey under the doormat. Plaintext data is still accessible to developers and hackers on frontend and backend servers. Plus, governments, ISPs and telcos can see the data. Even if you trust all these people, if there is a technical mechanism that allows them to access it, that technical mechanism is available to anyone to exploit.
Why would I need end-to-end encryption?
Today’s most innovative products know that they need to be secure by design, as consumer, regulatory and developer preferences trend toward privacy and security.
- User privacy - The tide is turning against products that read and use consumer data, evidenced by the popularity of encrypted apps like WhatsApp and Telegram, as well as complaints against platforms like Facebook.
- Regulatory compliance - You can comply with HIPAA, GDPR, FERPA and other regulations using end-to-end encryption.
- Developer comfort - Implementing end-to-end encryption simplifies things for you. If you can’t access the data, that eliminates whole security systems you need to build to protect it.
What does Virgil Security’s technology do?
With end-to-end encryption, each user or endpoint has a public key that is like their public address and other users in the network can send messages to them and use their public key to encrypt it so that only the corresponding private key can decrypt the message. If public keys are like listed telephone numbers in a phone book, private keys are like pin numbers to access an individual’s cell phone.
Virgil’s SDK powers the encryption and decryption of message data on the client device. Our Cloud service provides key management for the public and private keys needed for the end-to-end encryption. The private keys are stored locally on the client device and the public keys are stored in the Virgil cloud directory. The tech is compatible across all platforms and devices including iOS, Android, web, desktop, IoT device or a server, which is one of the tricky parts of end-to-end encryption because each device’s security is designed differently.
How do I use it?
Sign up for a free Virgil Security account, then create an application in the Virgil Dashboard and get started with a tutorial in the dashboard.
We have free, open source SDKs for most platforms and languages. Cloud key management is $.02/user per month. Building a secure key management system is what makes end-to-end encryption so hard. So while you don’t need to use our cloud service, we strongly discourage rolling your own crypto and trying to do it yourself.
Learn More
Popular tutorials:
- HIPAA Compliant End to End Encryption with Firebase
- HIPAA Compliant End to End Encryption with PubNub
- GDPR Compliance
- HIPAA Compliance
If you have any questions, join our Slack channel and chat with us!
Virgil Security, Inc. allows developers to protect passwords & encrypt everything, in hours, without having to become security experts. Learn more at VirgilSecurity.com.